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Abstract. The Feistel scheme is an important structure in the block ciphers. 
The security of the Feistel scheme is related to distinguishability with a random 
permutation. In this paper, efficient quantum algorithms for distinguishing classical 
3,4-round and unbalanced Feistel scheme with contracting functions from random 
permutation are proposed. Our algorithms realize an exponential speed-up over 
classical algorithms for these problems. Furthermore, the method presented in 
this paper can also be used to consider unbalanced Feistel schemes with expanding 
functions. 
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1. Introduction 

Many block ciphers algorithms used in cryptography are Feistel schemes(FS), for 
example DES, TDES, many AES candidates. Classical (balanced) FS, unbalanced FS 
with contracting functions, and unbalanced FS with expanding functions have been 
widely studied. The classical security of the Feistel scheme has been considered in terms 
of indistinguishability from a random permutation, because the FS is secure against any 
chosen-plaintext attack if they are indistinguishable [HE]. 

Luby and Rackoff [3 J have shown their famous result: all generic attacks on FS that 
more than 3-round require at least 0(2 n / 2 ) inputs, even for chosen inputs. Moreover, 
all the generic attacks on 4-round FS require at least 0{2 n ' 2 ) inputs, even for a stronger 
attack that combines chosen inputs and chosen outputs [3j. For 5 round or more the 
question is more complicated. In Patarin's work[lj, it was proved that for 5 round or 
more the number of queries must be at least 0(2 n ). 

It is known that quantum algorithms can be used to realize a sub-exponential 
or even exponential speed-up over known classical algorithms for some problems. 
Kuwakadojl] showed that quantum algorithms are effective to the 2- round FS and 
a variant of 3-round FS. A variant of 3-round FS is distinguishable from a random 
permutation(RP) by making 0(2 n/ ' 2 ) classical queries. However, Kuwakadojl] showed 
that 0(2 n//3 ) quantum queries are enough for the same task. In this paper, we present 
a more effective quantum algorithm for this problem by Simon algorithm[5], the query 
complexity here is only 0(ri). Furthermore, we propose quantum algorithm for 4-round 
FS and unbalanced FS with contracting functions. Our quantum query complexity 
achieves an exponential speed-up over known classical query algorithm. 

The rest of this paper is organized as follows. In section 2, we give a short 
overview of the FS and the quantum computation. In section 3, quantum algorithms 
to distinguish a variant 3-round FS and a 4-round FS from RP are considered. In 
section 4, we present effective algorithm for unbalanced FS with contracting functions. 
Conclusions are given in section 5. 

2. Background 

A Feistel scheme(FS) from {0, 1}^ to {0, 1} N with r-round is a permutation structured 
by round functions. When these functions are randomly chosen, we get what is called 
a "random FS". The attacks on these "random FS" are called "generic attacks" since 
these attacks are valid for most of the round functions f\. . . f r . For most of classical FS, 
we have N = 2n and the round functions /j are from {0, 1}™ to {0, 1}™. Such schemes 
are called "balanced" FS. 

Unbalanced Feistel Scheme: An unbalanced FS Gf. with contracting functions 
is a FS with d rounds. On some input [I 1 , J 2 , ...I k ], Gf produces an output denoted 
by [S 1 ^ 2 , ...S k ] by going through d rounds, where I\S i G {0, 1}^, (1 < % < k). The 
round function fj at round j is a function from (k — l)n bits to n bits. At each round, 
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the last (k — l)n bits of the round entry are used as an input to the round function 
fj, which produces n bits. Those bits are xored to the first n bits of the round entry. 
Finally before going to round j + 1, the kn bit value is rotated by n bits. 
The first round of Gf is represented in Figl below. 



Figl. First Round of Gf 

To demonstrate the superior computational ability in quantum computers, many 
distinguishing problems have been studied. Most of the known results showing that 
quantum computers outperform their classical counterparts can be phrased as black- 
box problems. A black-box(oracle) is subroutine that implements some operation or 
function. It provides no other information other than taking an input and giving 
the prescribed output. Quantum computers can offer superpolynomial speedups over 
classical computers, but only for certain "structured" problems. The key question is 
whether we can find the "structured" for the certain task. 

FS and RP Distinguishing problem: Giving an oracle C and promising that 
C is either the r-round FS or RP. The problem is to determine whether C is FS or RP 
by making queries to the oracle C with a complexity as small as possible. 

Query complexity [6J: When referring to a black-box algorithm, the query 
complexity is the number of applications of the black-box or oracle used by the 
algorithm. When referring to a black-box problem, the query complexity is the number 
of applications of the black-box required by any algorithm to solve the problem. 

Notations 

We will use the following notations in this paper. 

In — {0, l} n is the set of the binary strings of length n. Particularly, is n-bits 
zero vector. 

For a, b 6 I n , a © b stands for bit by bit exclusive of a and b. 
The set of all function from /„ to J„ is F n . 

Let /is a function of F n . Let a, b be elements of I n . Then by definition: 

FS(/)[a,b] = [b,a©/(b)]. 
Let /i, ...f r be r functions of F n . Then by definition: 

FS r (/i, ...f r ) = FS(/ r ) o ... o FS(/i), where o is the composition of functions. 
FS r (A, ...f r ) is called "a FS with r-round". 

G% is a d rounds unbalanced FS with contracting functions. 

Furthermore, we denote Feistel scheme and random permutation by FS and RP 
respectively. 
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3. Quantum Attack on Classical Feistel scheme 

3.1. Attack on The variant 3-round FS 

This section shows that quantum algorithm can make less queries to distinguish a 
variant of the 3-round Feistel scheme VFS from a RP. The variant considered here 
is the 3-round FS such that the second internal function / 2 is replaced with a RP 
on {0,l} n . Kuwakado|4j showed that a VFS is distinguishable from a RP by making 
0(2 n / 3 ) quantum queries. However, in this section, we will propose a quantum algorithm 
to distinguish a VFS with less queries. This distinguishing attack is similar to Simon's 
algorithm [5]. 



Algorithm 1 



Input: An oracle C that is promised to be either VFS or RP. A constant 
q > \~ log 3 e] • 

Output: Oracle C is VFS or RP with success probability 1 — e. 
Let k = l. 

1) While k < q do 

2) For t from 1 to n + 5 do 

3) Prepare the An qubit state Z)i=o |0) 2 |0) 3 |0) 4 . 

4) Apply Uc to create the state Y,f=o 1 |0) 2 |cj) 3 |dj) 4 . 

Where U c 10) 2 |0) 3 |0) 4 = 10) 2 \a) 3 |d<) 4 , i.e. C(i, 0) = (c*, d,) . 

5) Measure the fourth register, and then apply Uc again to "uncompute" the value 
of function from the third and the fourth registers; we have a random "coset state" 
-^(|i) + |j)) in the first register. Let s = i © j and K = {0, s}. 

6) Apply a Hadamard gate to the first register, the state in the first register is 
Z)ye-ft'- L ( — l) y-1 |y), where normalization factor has been omitted. 

7) Measure the first register to obtain a string y t G {0, l} n ; t = t + 1. 

8) Let M be the (n + 5) x n matrix whose t-th row is the vector y t . Solve the 
system Mx k = 0; k = k + 1. 

9) For 1 < k < q, if x fc = holds, then output "VFS" , otherwise, output "RP" . 



Correctness: After applying the Hadamard gates in step 6, the "coset state" 
^(|i> + |j» gets mapped to E ye ^ (-I) 5 " 1 |y), where K 1 = {y|y G Z 2 , y • s = 0} 
and normalization factor has been omitted. Thus, with n + 5 random samples from K x , 
the samples vectors yt will generated K x with probability exponentially close to one. 
Then, we can efficiently compute generators for K by Gaussian elimination, i.e. we can 
determine whether i © j = holds. 

Suppose that C is VFS. Since the second internal function is a random permutation, 
the value of the first and the fourth register is one-to-one, so the equality i©j = always 
holds; Suppose that C is RP. Since the right part of RP(i,00...0) is a random binary 
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strings of length n, then the number of |i) that map to the same value |bA in the fourth 
register is two on average. So i © j ^ holds with high probability. 

Sometimes, for a RP, we will obtain only one or three(or more) different i in the 
first register that map to the same value d in the fourth register. In this case, we will 
also get the zero solution to the system Mx^ = 0, the probability will be considered 
later. 

Query complexity: If C is RP, then the value |i) in the first register and |dj) in the 
fourth register is two-to-one in general, particularly, we take the probability is 2/3, i.e. 
the error probability of algorithm 1 can be evaluated as follows: 



Perr < £, so we have q > — log 3 e. 

Furthermore, to solve the system Mxj = 0, we need only 0(n 3 ) elementary classical 
operations. So the above algorithm makes 0(2q* (n + 5)) ~ 0(n) quantum queries and 
0(n) elementary quantum operations and 0(n 3 ) classical operations. 

Theorem 1 Given an oracle C that is promised to be either VFS or RP, there is 
a quantum algorithm to distinguish VFS from RP with 0(n) quantum queries. 

Proof. The result is obviously from the above analysis. 

3.2. Attack on The 4-round Feistel scheme 

Let C = FS (/i, f 2 , ^3, fi) is a 4-round FS, where C(a, b) = (c, d) . In Patarin's workpQ, 
for a RP, the number N of (i, j), 1 < i < j < m such that bj = hj and Cj © = Cj © a, 
is -^k- However, for a FS 4 (/i, f 2l fi), the number N is p^. So we take all a^ e I n , 
bj = and count the number N of equalities of the form Cj © aj = Cj © a, , i < j. So for 
aRPAf^ and for a FS 4 (/i, f 2 , f 3 , U) we have w 2 n . Then, given cffia e /„, for 
a RP the number of a^ e I n such that C(aj, 0) © (a^ 0) = (c, © a i; dj © 0) = (c © a, d,) 
is 2 on average. However, for a 4-round FS, the number is 3 on average. 

Now a quantum algorithm to distinguish 4-round FS from RP will be proposed. 



Algorithm 2 



Input: An oracle C that is promised to be either 4-round FS or RP. A constant 
q> r-201og 3 £"|. 

Output: Oracle C is 4-round FS or RP with success probability 1 — e. 
Let k = 1. 

1) While k < q do 

2) For t from 1 to n + 5 do 

3) Prepare the An qubit state Y%=o 1 |0) 2 |0) 3 |0) 4 . 

4) Apply Uc to create the state Y%=o 1 1 0)2 I c * ) 3 |dj) 4 . 
Where U c |i) x |0) 2 |0> 3 |0) 4 = |i) x |0) 2 \c { ) 3 |d,) 4 . 



P 



err 



Pr[VFS|RP] Pr[RP] + Pr[RP|VFS] Pr[VFS] 
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5) Apply Up to create the state Ya=o 1 |0) 2 |i © Cj) 3 |dj) 4 , 
Where U D |0) 2 |ci} 3 |di} 4 = | i> a |0) 2 |i © c 4 ) 3 |d<) 4 

6) Measure the third register, apply Ujj and XJc again, then we have a random 
"coset state" + |j)) or ^(|i) + |j) + |k)) in the first register. 

7) Call step 6 to step 8 of Algorithm 1. 

8) Denote x^ = 1 if ^ 0, else x^ = 0. Determine the oracle C is 4-round FS or 
RP through binary sequence x = (xi, ...x q ). 



Correctness: The distribution of a secure FS should be smooth, i.e., for given 
c©a G I n , the number of aj G I n such that C(aj, 0) © (aj, 0) = (cffia, dj) is 3 in general. 
So, for simplicity, we take the probability for 2/3. Note that x^ — 1 if the number is 2, 
and Xi = if the number is 3. Suppose that C is RP then the equality xi — 1 holds with 
probability at least 2/3, however, the probability is at most 1/3 for 4-round FS. Denote 
the number of Xi = and Xi = 1 (1 < i < q) in the sequence x is A^o, Ni, respectively. 
So if Ni > N , we consider that C is RP, otherwise, C is FS. 

Query complexity: By the analysis above, the error probability is evaluated as 
follows: 

P err = Pr[VFS|RP] Pr[RP] + Pr[RP|VFS] Pr[VFS] 
= 3-'[Cj + C] ■ 2 + C\ ■ 2 2 + ...C r q ■ T] 

— + + + — Cg] < 327+T 

Perr < e, so we have r > 31 ^ 3 2 £ L 2 ~ — 10 1°S3 £ ' i- e - 9 ^ ~ 20 log 3 e. 
Furthermore, to solve the system Mxj = 0, we need only 0(n 3 ) elementary classical 
operations. 

The above algorithm makes 0(q * (n + 5)) ~ 0(rn) quantum queries and 0(rn) 
elementary quantum operations and 0(rn 3 ) classical operations. 

Theorem 2 Given an oracle C that is promised to be either 4-round FS or RP, 
there is a quantum algorithm to distinguish FS from RP with 0(n) quantum queries. 

The result is obviously from the above analysis. Patarin[l][2] showed that to 
distinguish 4-round FS from RP, classical generic attack required 0(2 n//2 ) random queries 
and 0(2 n l 2 ) computations. So quantum algorithm here realizes an exponential speed-up. 

4. Unbalanced FS with contracting functions 

4-1. Attacks on 4-round:G^ 

On some input [I 1 , 1 2 , 1 3 ], G\ produces an output denoted by [S 1 , S 2 , S 3 ). We choose 
m messages such that Vi, If = and I 2 ^ I 2 for all i ^ j, where I}, I 2 , 1 3 G I n . 
Then count the number N of pairs (i, j) with i < j such that I 2 © I 2 = S} © Sj. 
For a RP, this condition appears only by chance. Thus, from Patarin's work [7], we 
getiV w + °~ (2^2) 1 wnere °~ (2^72) denotes the standard deviation. For G\ we have 
N w + a (^2). So take m = 2 n , for a RP iV w 2 n ~\ and for G| we have w 2 n . 



Quantum Generic Attacks on Feistel Schemes 

So we can obtain an effective algorithm to distinguish G\ from RP. 



7 



Algorithm 3 



Input: An oracle C that is promised to be either G\ or RP. A constant 
q> r-201og 3 £]. 

Output: Oracle C is G\ or RP with success probability 1 — e. 
Let k = l. 

1) While k < q do 

2) For t from 1 to n + 5 do 

3) Prepare the An qubit state £i=o 1 |0) 1 |i) 2 |0) 3 |0} 4 |0) 5 |0) 6 . 

4) Apply rj c to create the state Ef=o 1 |i) 2 l°>3 l S i)4 l S i)5 I s ?) 
Where Efc (0), |i) 2 |0) 3 |0) 4 |0> 5 |0> 6 = (0), |i) 2 |0> 3 |Sj) 4 |S?) 5 |S?) 6 . 



6' 



5) Apply U d to create the state, Ef=o 1 |i) 2 l°> 3 I 1 © s !) 4 l s ?) 5 l s ?) 6 
Where C/ D (0), |i) 2 |0) 3 |Sj) 4 |S?> 5 |S?) 6 = (0), |i) 2 |0) 3 |i © S}) 4 |S?) B |S?) 6 

6) Measure the fourth register, apply Ud and again, then we have a random 
"coset state" ^75 (|i) + |j)) or ^(|i) + |j) + |k)) in the second register. 

7) Call step 6 to step 8 of Algorithm 1. 

8) Denote %k = 1 if x fc 7^ 0, else = 0. Determine the oracle C is G 3 or RP 
through binary sequence x = (xi, ...x q ). 



Correctness: The equality If © J| = S] © S 1 ] holds if and only if If © S, 1 = ij © S'} holds. 
So by measuring the fourth register, applying Ud and C/c again, we have a random 
"coset state" 

>> + u» (i) 

or 

^(]i> + |j) + |k)) (2) 

in the second register. 

We know that x^ — 1 if equality (1) holds, and x^ = if equality (2) holds. Similarly 
algorithm 2, if the oracle C is G 3 , then = 1 with probability at most 1/3, however, 
the probability at least 2/3 for a RP. So it will be enough to distinguish G\ from RP 
by the observed sequence x. 

Query complexity: The complexity is similar to algorithm 2. By the analysis of 
algorithm 2, the error probability is evaluated as follows: 

P err = Pr[VFS|RP] Pr[RP] + Pr[RP|VFS] Pr[VFS] < 

Perr < £, so we have r > 31 ^ 3 2 £ _ 2 ps —10 log 3 e, i.e. q > —20 log 3 e. 
Furthermore, to solve the system Mxj. = 0, we need only 0(n 3 ) elementary classical 
operations. 
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Theorem 3 Given an oracle C that is promised to be either G\ or RP, there is a 
quantum algorithm to distinguish G\ from RP with 0(— 10nlog 3 e) quantum queries. 

4-2. Attacks for k+1 round with k>4 

The input and output of Gf is denoted by [I 1 , I 2 , ...I k ] and [S 1 , S 2 , ...S k ], respectively. 
For G k +1 , we choose Vz, If = ... = l\ = and pairwise distinct l\. Then from 
Patarin's work [I], if we take all 1} G I n , the number N of pairs (i, j), i < j, such that 
If © ja = © fij holds is 2 n . However, for a RP, we have N « 2 n_1 . 
So we can obtain an algorithm similar algorithm 3. 
It is enough to substitute step 3 to step 6 in algorithm 3 as follows: 
3*) Prepare the 2kn qubit state Si=o 1 |0) 2 ... |0) fe ... |0) 2fe . 



/ 2k 



4 /2fc 



4*) Apply [/ c to create the state E& 1 [i> x |0) 3 ... |0> fc |Sj) fcH 
where U c |0) a ... |0) fc ... |0) 2fc = |0) 2 ... |0) fc |Sj) fc+1 

5*) Measure the (A;+l)-th register, apply [7 C again, then we have a random "coset 
state" ^(li) + |j)) or + |j) + |k)) in the first register. 

The correctness and query complexity is obviously from algorithm 3, we have the 
following theorem. 

Theorem 4 Given an oracle C that is promised to be either G^ +1 or RP, there is 
a quantum algorithm to distinguish G k+1 from RP with 0(n) quantum queries. 



5. Conclusion 



In this paper, we presented quantum generic attacks against classical FS. We shows that 
the 3,4-round FS and unbalanced FS with contracting functions Gf are distinguishable 
from a RP by making less queries than classical queries. Moreover, the method in this 
paper can also be used to distinguish unbalanced FS with expanding functions. 

Here we will discuss a few more open problems. The main problem is that we 
haven't considered the more round FS. For 6 round or more, it is still an open problem 
whether or not the number of quantum queries can achieve exponential speed-up over 
classical queries. Furthermore, finding another scheme used in classical cryptography 
which realizes speed-up by quantum algorithm is more challengingly. 
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